I saw there's some code in comment for LDAP authentication in the login.classes.php - does anyone know whether I'd be able to use it?

I've added my own implementation of an LDAP-login (with testing on the value of the password) - but: apparently DevblocksSession is not a know class (yet?)...

[CERBERUS CODE]
$session = DevblocksPlatform::getSessionService();
$visit = new DevblocksSession();
// [TODO]: Need to set real properties here
$visit->id = 1;
$visit->login = 'ldap_user';
$visit->admin = 1;
$session->visit = $visit;
$_SESSION['um_visit'] = $visit;
[/CERBERUS CODE]

Is there anyone who has got some more information about this issue? Thanks in advance!

Hey there,

Dan had a working LDAP authentication plug-in going early in 4.0 development, but due to the constant evolution of the codebase (which kept breaking it) we just commented it out.

It's pretty trivial for us to get this going again now that things in 4.0 are pretty conceptually stable.

I've added a task on the project roadmap for this:
http://www.wgmdev.com/jira/browse/CHD-183

We can get this going for both helpdesk logins and customer authentication through the new ("soon-to-be-re-released") Support Center.

Thanks!

We can get this going for both helpdesk logins and customer authentication through the new ("soon-to-be-re-released") Support Center.

Is there any information available about the "soon-to-be-released"-time scale? Eg. within a month or within a couple of months?

Thanks in advance for the information!

Hey there!

Regarding the core Support Center, I'm working to get it in Subversion and announced on the forums this afternoon (Pacific time).

As for "soon" and LDAP, I highly doubt it will take months for us to get to it. I posted our roadmap as a sticky topic on the "Concepts" forum. LDAP has a lower priority than a lot of those things, but it's also much quicker to develop (and something any developer here can do in tandem with the main development effort).

I've made it really easy to use alternate authenticators with the new Support Center.

Re-implementing LDAP should be an afternoon project, so when I get a few spare moments I'll do the groundwork for external authenticator plug-ins (e.g., LDAP, vBulletin) in the helpdesk and Support Center. From there it's pretty easy to hand off to anybody else over here.

Thanks!

Can Cerberus staff please update us regarding the status of LDAP or any mechanism to do authentication with an external store?

ETA and details are appreciated.

Thanks!

Hey there!

Dan@WGM wrote the code for LDAP already (for workers + Support Center).

I just need to use his LDAP server over here and do some simple refactoring so the Support Center can have pluggable authentication.

Cerb4 itself already can support pluggable authentication, we just need to hook it into the UI. We also need to decide what to do about the 'chicken and egg' of having no fixed 'superuser' account, but needing a way to allow you guys to still log in without LDAP.

The hard work is already done, we just need to find the time to wrap it up.

(The community hasn't been banging on the dev castle gates about it! :D)

A little off topic but what the hell,

We have never implemented LDAP before. Can anyone point us a little blurp of how the LDAP back interface is implemented?

Is LDAP essentially Active Directory?

For external authentication, have you ever considered Cerberus simply calling an external script via https, passing the user input for username / password, where the called script simply return true/false? This seems lightweight and to the point! :)

A little off topic but what the hell,
We have never implemented LDAP before. Can anyone point us a little blurp of how the LDAP back interface is implemented?

OpenLDAP is a popular opensource LDAP daemon:
http://www.openldap.org/
http://www.howtoforge.net/linux_ldap_authentication

Dan recommends this LDAP viewer:
http://www.jxplorer.org/

Is LDAP essentially Active Directory?

Yeah!

http://en.wikipedia.org/wiki/Ldap
http://en.wikipedia.org/wiki/Active_Directory

Active Directory (AD) is the Microsoft attempt at LDAP (insert various groaning noises here).

For external authentication, have you ever considered Cerberus simply calling an external script via https, passing the user input for username / password, where the called script simply return true/false? This seems lightweight and to the point! :)

We use plugins for authentication, but the general idea is the same. The plugins can do anything they want to authenticate, provided they link the current session to a worker. They either report they succeeded (true) or not (false).

They can check an external DB, LDAP, file, horoscope, whatever.

Hey Jeff et al,

What's the possibility of an AD plugin/tie-in to pull info directly from Active Directory so individuals don't have to login/etc.?

-n

With the final push for 4.0 underway, this has been bumped to 4.1, but you can still follow it at the JIRA link above.

I'm watching this thread, so let me know when it's worth testing this and I'll start same day. I have an OpenLDAP server set up.

FWIW on the windows ldap browser question: AD is just LDAP+Kerberos+Bugs. The best LDAP viewer for windows AD and every other known LDAP variant is at www.ldapbrowser.com. I hate to have to fire up a windows VM to use it, but I do every time.

Same here. So far LDAP/Windows Auth is the only reason we haven't purchased a couple of worker licenses for Cerberus yet so I would be very interested to know when this will be working.

Thanks!

I'd love LDAP/AD support. However, the way I would like to see it implemented (at least for myself), such that you can separate the Supporters from the Requesters. Meaning, I would only want my Supporters to have LDAP/AD authentication while the Requesters would just be normal cookie/web-auth.

What would even be better is if the Support Center and the KB used this same methodology.

I got to this post from this ticket (http://www.wgmdev.com/jira/browse/CHD-183).

Any update on this? I know everyone's hard at work on other features of Cerberus but it's been almost a year since the initial request for LDAP came in.

What I am waiting to see from cerb4:

Automatic Cerb4 profile creation upon successful LDAP auth.
Being able to log in using a user-defined LDAP filter ( ((uin=*)) )
Email address from a user-defined LDAP filter ( ((emailAddress=*)) )


Maybe this could be implemented using a "Profile Type" in cerb4, with this profile type being "LDAP" as opposed to "Local". That way you can have both.

I got to this post from this ticket (http://www.wgmdev.com/jira/browse/CHD-183).

Any update on this? I know everyone's hard at work on other features of Cerberus but it's been almost a year since the initial request for LDAP came in.



The feature request you mention, CHD-183, is set for the next release (#20). Unless this gets pushed back in favor of releasing things like Time Tracking earlier, than theoretically it should be coming out alongside it.

And as I'm sure you've seen countless times, still no estimated time. Hopefully sooner rather than later though.

The last post indicated that this would be implemented in the 4.1 release. We now have 4.1, but I still don't see any LDAP for Workers or Customers (Support Center). Any idea on when this will be released?

Tom

The last post indicated that this would be implemented in the 4.1 release. We now have 4.1, but I still don't see any LDAP for Workers or Customers (Support Center). Any idea on when this will be released?


This is the usual confusion compounded by the fact its been delayed for a later milestone. You see that 'this ticket' link user:screaming had in his last post. That linked to CHD-183's JIRA page where you can see whether or not this has been resolved and included in Cerb4's latest release.

http://www.wgmdev.com/jira/browse/CHD-183

If you go there now, you'll notice the 'Fix Version/s' is 4.2 - Milestone #1, meaning it has been delayed to the FIRST release of version 4.2. Also for future reference keep in mind what we mean by "Milestone". If you look on the Cerb4 Project page (http://www.wgmdev.com/jira/browse/CHD) you'll see that there are two more 4.1 releases, milestone #2 and #3. That means that 4.2 won't be the next release, which implies that CHD-183 won't be ready for at least 3 additional releases.

My recommendation for the feature is to bookmark the CHD-183 web page and check the progress after every major Cerb release. If it's finished, the 'status' (left sidebar) will read 'resolved' or 'closed', instead of 'open' as it is now. Closed says that we have verified it and it's ready to go. At that point look at the bottom of the comments section and see when Jeff@WGM or Joe@WGM says what build you can find it under, e.g. "verified in stable build 890". Once that build goes live, you'll find that feature included.

Hope that makes sense!